By Level Legal
Recently, we sat down with David Greetham, Level Legal’s vice president of digital forensics, to talk about the complexities of data investigation and intellectual property protection. With decades of hands-on experience, Greetham offered insights into the evolution of forensics, the challenges of protecting intellectual property, and tactics to outsmart modern digital thieves.
Q: Let’s talk about the history of forensics and the discipline itself.
A: It all began quite some time ago. I often joke that I was three years old when I started, but I might’ve been older. My involvement began as a solution to the growing needs within law enforcement. During the late 80s and early 90s, there was much excitement about the “thousand-dollar computer.” As PC’s became available at this price, they were suddenly within reach for many households and offices. Before the arrival of these PCs, many might recall mainframes, where the concept of digital evidence wasn’t quite as we understand it today.
I was part of an organization that provided computer services to local law enforcement. They approached us one day, referring to us as their “computer guys,” with a unique problem related to a computer that they didn’t know how to address. They suspected that this computer contained evidence of a crime. This case led me to help establish a forensics lab for them, and I played a role in developing standards on imaging, preservation, validation, and the presentation of digital evidence in court.
What intrigued me most was the ability to uncover activities and user actions through digital traces on computers. This fascination drew me in, and from that point forward, I dedicated nearly 34 years exclusively to digital forensics.
Q: So, something I hear often from customers is merging collections and forensics together. Could you distinguish those two things?
A: Certainly. When many people hear “forensics,” they immediately think of data collection. While effective data collection is an integral part of the forensic process and is crucial for preserving data integrity, it’s only one aspect. True forensic analysis delves deeper. It’s about investigating the collected data, often referred to as ESI (Electronically Stored Information), to uncover what actions had taken place on a computer.
Analysis and collection are distinct processes. While some organizations focus solely on collection, which is essential, our scope is broader. We not only defensibly collect various types of data but also engage in thorough analysis. This culminates in presenting our findings as evidence in court as experts when required.
Q: What is IP theft?
A: Intellectual property (IP) theft is rampant these days. At its core, it involves taking something that doesn’t belong to you. IP, often in the form of data, typically belongs to an entity or individual and not the person taking it. We frequently encounter instances where employees, who might have been with a company for a long time and might have even played a part in creating certain proprietary materials like client lists, wrongfully take this data. Even if they had a hand in its creation, it doesn’t belong to them. They were compensated with a salary for their contributions, so any material they produced during that time rightfully belonged to the employer.
Employers generally own the intellectual property and commercially sensitive information created by their employees in the course of their employment. If a departing employee takes sensitive business information in violation of policy or agreement, employers could pursue recourse through legal action. Companies may locate relevant policies and agreements, conduct an investigation, consult with counsel, determine potential harm, and file a legal action if warranted.
Q: Some statistics you shared were somewhat shocking to me, even being in the industry as long as I have. Do you want to share a few?
A: Estimates suggest that intellectual property theft costs the U.S. industry around $600 billion annually. From a forensic analysis perspective, roughly two-thirds of our work is dedicated to detecting such theft.
Q: So, as we talk about how to outsmart intellectual property thieves, I think it’s important first to talk about how do we detect this activity?
A: Over the course of my few years of experience in this field, we’ve noticed recurring tactics used by individuals with fraudulent intentions. As technology evolves, so do the methods of deception. In the past, data transfer methods were more rudimentary, relying on serial ports and other basic means. Then came the era of USB sticks, which allowed for easy concealment of copied data. These devices, ranging from large drives to tiny thumb drives, became popular for illicit data transfers. In some cases, we even found data being concealed in devices as discreet as USB-equipped watches.
Recently, the trend has shifted towards the use of personal secure cloud storage, allowing individuals to remotely access and store data. This is why preliminary intelligence is crucial. Understanding a company’s policies, such as whether they have preventive measures in place or if they provide unrestricted tech access to top employees, can be helpful to know. However, one thing remains consistent: when individuals go online, they leave behind a digital footprint in the form of internet history on their computers. That can be analyzed. If you plug in a thumb drive, or other external devices, there’s information within the system that records what happened and when it happened.
Q: When you have an employee departing who has taken files, or when you suspect intellectual property might be leaving your corporate domain, what best practices would you recommend?
A: For every departing employee, many organizations take a full forensic image of their device. This serves two purposes:
- To preserve the data.
- To potentially repurpose the device for a new employee.
If you have any suspicions, obtaining a full forensic image is an inexpensive and straightforward method of preserving the data. If there’s a need for analysis later on – whether examining browser history, secure cloud usage, or specific search terms – having this forensic image allows for a thorough retrospective review of what actions were taken on the computer.
Q: What measures can individuals and organizations take to prevent intellectual property theft?
A: In this world of technology, many successful individuals expect a multitude of devices and access privileges. They might desire two iPads, a laptop, a Mac, a cellphone, and more. Some organizations, unfortunately, provide extensive access, akin to handing over their most valuable assets.
However, a prudent approach is rooted in an information governance mindset: granting access only to what is essential for a person’s role. Take HR files as an example. Even if someone is the top salesperson, it doesn’t mean they should have access to sensitive HR data. The method to ensure this selective access, is through strict access control limitations. Instead of granting access to the entire network, only provide access to the necessary tools and information that the employee needs to do their job.
Many organizations, especially in the healthcare sector, enforce strict IT policies. They might disable USB ports or block certain online services on their firewall, like Dropbox, Google Drive, and other cloud storage solutions. This approach aligns with a principle of information governance: Give employees only what they need to perform their tasks, not unrestricted access.
Need help with forensics? Let us know.